Rule: API Gateway Stage Logging Should Be Enabled
Ensure that API Gateway stage logging is enabled to comply with high severity standards.
| Rule | API Gateway stage logging should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
API Gateway Stage Logging for CISA Cyber Essentials
Cloud security is paramount, and ensuring that API Gateway stage logging is enabled aligns with the CISA Cyber Essentials, which is a guide for leaders of small businesses as well as local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
Understanding API Gateway Stage Logging
API Gateway stage logging is a feature in AWS that allows you to log API calls and data exchanged between your API Gateway and your integrated backend services. These logs are useful for monitoring and troubleshooting API activities. Logging is essential for security purposes as it helps in tracking down inconsistencies and identifying potential security threats.
Enabling API Gateway Stage Logging
Prerequisites
- Access to AWS Management Console with the necessary permissions.
- An existing API Gateway stage.
Step-by-Step Guide for Enabling Logging
Step 1: Access API Gateway Console
Navigate to the AWS Management Console and open the API Gateway service.
Step 2: Choose API
Select the API for which you want to enable logging.
Step 3: Set Up Logging Role
Ensure AWS API Gateway has the necessary permissions to write logs to CloudWatch Logs:
- Navigate to IAM and create a new role.
- Attach the
policy to the role.AmazonAPIGatewayPushToCloudWatchLogs
Step 4: Configure Stage Settings
- Within the API Gateway console, navigate to ‘Stages’.
- Select the stage where you want to enable logging.
- Under 'Logs/Tracing', set up CloudWatch settings:
- Activate 'CloudWatch Logs'.
- Choose 'INFO' or 'ERROR' as the log level.
- Optionally enable full request/response data logging.
- Select the IAM role created earlier to provide access.
Step 5: Save Changes
Ensure all settings are correct, and then click 'Save Changes' to apply them.
Step 6: Verify Logging
- Navigate to CloudWatch Logs to confirm that logs are being written.
- Check for new Log Groups/Streams that correspond to your API and stage.
Troubleshooting Steps
If logs are not appearing in CloudWatch:
- 1.Confirm that the IAM role has the
policy.AmazonAPIGatewayPushToCloudWatchLogs - 2.Verify that the IAM role trust relationship allows API Gateway to assume the role.
- 3.Ensure CloudWatch Logs has not reached its limits or check for any service disruptions.
- 4.Confirm that the logging level and IAM role are properly set in the API Gateway stage settings.
Additional CLI Commands for Remediation
To enable logging through AWS CLI:
aws apigateway update-stage \ --rest-api-id {API_ID} \ --stage-name {STAGE_NAME} \ --patch-operations op=replace,path=/accessLogSettings/destinationArn,value='arn:aws:logs:{region}:{account_id}:log-group/{log_group_name}' op=replace,path=/accessLogSettings/format,value='{logging_format}' op=replace,path=/*/*/logging/dataTrace,value='true|false' op=replace,path=/*/*/logging/loglevel,value='ERROR|INFO'
Make sure you replace
{API_ID}{STAGE_NAME}{region}{account_id}{log_group_name}{logging_format}To attach the IAM policy:
aws iam attach-role-policy \ --role-name {ROLE_NAME} \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs
Replace
{ROLE_NAME}Conclusion
By setting up logging according to CISA Cyber Essentials guidelines, you enhance the security and compliance of your API Gateway resources. This practice promotes a proactive approach to managing cybersecurity risks. Remember to always test your settings and review your logs regularly to ensure everything is functioning as expected and that all security measures are in place.